View Single Post
  #5  
Old 03-27-2020, 17:15
h4sh3m h4sh3m is online now
Friend
 
Join Date: Aug 2016
Posts: 36
Rept. Given: 0
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 35
Thanks Rcvd at 63 Times in 26 Posts
h4sh3m Reputation: 4
Sample for NtClose in delphi(x86 api), before testing check function index in your system and replace it in array(in my system index value is $0C).

Code:
program Project1;

{$APPTYPE CONSOLE}

uses
  Windows;

var
  Nt_xyz{NtClose} : function(a1 : THandle) : DWORD; Stdcall;
  Nt_xyz_Bytes : array[0..23] of Byte = ($B8, $0C, $00, $00, $00, $33, $C9, $8D, $54, $24, $04, $64, $FF, $15, $C0, $00, $00, $00, $83, $C4, $04, $C2, $04, $00);
  w : DWORD;
  hndl : THandle;

begin
  if not(VirtualProtect(@Nt_xyz_Bytes[0], High(Nt_xyz_Bytes), PAGE_EXECUTE, w)) then
    exit;

  FlushInstructionCache(GetCurrentProcess(), @Nt_xyz_Bytes[0], High(Nt_xyz_Bytes));

  @Nt_xyz := @Nt_xyz_Bytes[0];

  hndl := OpenProcess(PROCESS_VM_READ{PROCESS_ALL_ACCESS}, False, GetCurrentProcessId);
  if hndl <> 0 then
    Nt_xyz(hndl);
    //CloseHandle(hndl);
end.
Reply With Quote